Open Closed

SSO: Users forced to add password. Volo.Account.Pro 9.0.0 #8887


User avatar
0
luke created
  • ABP Framework version: v9.0.5

  • UI Type: Angular

  • Database System: EF Core, SQL Server,

  • Tiered (for MVC) or Auth Server Separated (for Angular): Yes

Both existing users and new registering users when using SSO are now forced to add a password as of version 9. This seems to be an undocumented breaking change. It also seems to ignore some configuration options (which I believe to be a bug).

This code used in both Login.cshtml.cs and Register.cshtml.cs, which redirects to the change password page only looks at the "EnableLocalLogin" setting.

  1. If I were to disable EnableLocalLogin this I would not be able to have login/registration with a username/password for anyone.

  2. VerifyPasswordDuringExternalLogin setting seems to have no baring on this at all, but the addition of be below code seems to be there to facilitate it.

  3. The only way to prevent this behaviour is to override the entire sections of RegisterModel.OnPostInternal and LoginModel.OnGetExternalLoginCallbackAsync and commenting out the below.

  4. This is a breaking change moving from ABP 8 to 9

This is a fundamental change in the behaviour of the login flow, why would anyone want to enter a password using SSO? It should be configurable.

I've laid this out very clearly as such that I've seen the duplicate closed thread on this matter where the customer was told to override the entire login/reg page. I believe this was not the correct course of action. They also were told that "We have not changed the login/register code recently.", this code was added in version 9.

    if (await SettingProvider.IsTrueAsync(AccountSettingNames.EnableLocalLogin))
    {
        var user = await UserManager.FindByLoginAsync(loginInfo.LoginProvider, loginInfo.ProviderKey);
        if (user != null && user.PasswordHash == null)
        {
            await StoreChangePasswordUser(user);
            return RedirectToPage("./ChangePassword", new {
                returnUrl = ReturnUrl ?? "/",
                returnUrlHash = ReturnUrlHash
            });
        }
    }

5 Answer(s)
  • User Avatar
    0
    EngincanV created
    Support Team .NET Developer

    Hi, actually it's configurable, we updated our Account Module Pro documentation about this change. Please refer to https://abp.io/docs/9.1/modules/account-pro#social-account-security-setting.

    image.png

  • User Avatar
    0
    luke created

    Thanks for your response!

    I've tried the setting "VerifyPasswordDuringExternalLogin", as I said above in point 2. It didn't have any effect, so I checked the source, it is only referenced in one place LoginModel.ShouldAskUserPasswordAsync, to choose if they should enter their existing password. Not to choose if they should be required to create one.

            if (!await SettingProvider.IsTrueAsync(AccountSettingNames.VerifyPasswordDuringExternalLogin))
            {
                return null;
            }
    
            if (user.PasswordHash != null)
            {
                return RedirectToPage("./ExternalPasswordLogin", new
                {
                    returnUrl = ReturnUrl,
                    returnUrlHash = ReturnUrlHash
                });
            }
    
  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    We will change this in the next 9.0.x patch version.

    Sorry for that.

  • User Avatar
    0
    luke created

    Thank you for sorting this! 😀

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    Your ticket has been refunded.

    Thank you.

Boost Your Development
ABP Live Training
Packages
See Trainings
Mastering ABP Framework Book
Do you need assistance from an ABP expert?
Schedule a Meeting
Mastering ABP Framework Book
The Official Guide
Mastering
ABP Framework
Learn More
Mastering ABP Framework Book
Made with ❤️ on ABP v9.2.0-preview. Updated on March 13, 2025, 04:08